HPE Security – Data Security https://www.voltage.com Email Encryption, Enterprise Cloud Data Protection, End-to-End Encryption, Tokenization, Database Encryption, Data Masking, Key Management Solutions Thu, 25 May 2017 20:46:23 +0000 en-US hourly 1 Join HPE Security at the Gartner Security & Risk Management Summit https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/ https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/#respond Thu, 25 May 2017 20:16:50 +0000 https://www.voltage.com/?p=16966 June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD.  This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: […]

The post Join HPE Security at the Gartner Security & Risk Management Summit appeared first on HPE Security - Data Security.

]]>
June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD.  This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: Manage Risk. Build Trust. Embrace Change.

GartnerWho typically attends? Gartner reports that over 3,000 attendees such as CIOs, CISOs, security analysts and architects, and other related security professionals descend on DC for this annual event. The agenda addresses the latest threats, flexible new security architectures, data privacy, governance strategies and the role of the chief information security officer (CISO).

HPE Security at Gartner

HPE Security feels this show is so important to help educate security professionals that we are a premier sponsor, with a theme of “Fearlessly Innovate.” We are in a period of disruptive change, where success is achieved by innovating faster than the competition. Innovating means adopting technologies that increase productivity, lower costs and extend businesses into new markets. In this environment, organizations that rapidly design, deploy and adapt IT based on the needs of customers, partners and employees cannot be slowed down by security. However, not considering risk in an increasingly connected world jeopardizes innovation.

We feel that security must accelerate, not impede innovation.  We help you build security directly into your data and your apps. We provide the visibility, analytics and automation to rapidly detect, respond to, and remediate threats at scale.

There are many ways to interact with HPE Security and educate yourself in protecting your users, apps and data.

  • Stop by our booth
  • Set up 1:1 meetings with our Security Experts
  • Attend our Solution Provider Session
  • Visit our Learning Labs

Visit our Booth

Visit us at Booth #103 to see live demonstrations of our industry leading Data Security, ArcSight and Fortify product offerings. At the booth, you can set up your 1:1 meeting with our security experts.

Solution provider session:

Join the SIEM Revolution: Q&A Exploring Today’s Intelligent Security Operations 
Today’s Security Operations are facing new disruptors: the sheer scale and variety of data sources, persistent and adaptive threats, and shortage of cybersecurity experts. It requires a revolutionary transformation of SecOps. Join us for a provocative Q&A session with experts managing security operations for some of the world’s largest government and commercial organizations. Hear first-hand stories about how these pros are addressing the toughest security challenges and providing new levels of defense for their businesses.
Date: Monday, June 12
Time: 3:15pm – 4:00pm
Session ID: SPS14

Learning Labs:

New this year at the Gartner Security & Risk Management Summit are learning labs. HPE Security will host several learning labs to educate attendees on various topics including protecting against cyber threats, securing DevOps and data-centric protection for your most valuable data. See the detailed descriptions below and plan to attend the ones that are most relevant.

Data-Centric Protection for Your Most Valuable Data
Are you leaving your most important asset, your data, unattended? Discover how to neutralize breaches, comply with legislation and protect your most valuable data. Data-Centric security protects sensitive data at-rest, in-motion and in-use while powering Omni-Commerce, Cloud and Big Data. Join us to learn why AES FF1 is a strong, vetted, resilient NIST and FIPS validated mode of encryption that enables you to protect your most valuable data.

The new rules of engagement to protect against cyber threats
While organizations agree that protecting against cyber-threats is a top-priority, it is becoming increasingly difficult to pin point what EXACTLY needs to be done to achieve that. In this session, we will look at the three underlying disruptors that are responsible for today’s cyber-attacks and then dive deep into the strategies that intelligent SOCs are adopting to fight against it.

Advances in application security: harness the power of machine learning
As the software environment becomes more complicated, can your app sec program actually become more simplified? See how machine learning can streamline your app sec process by highlighting vulnerabilities that are most critical to your unique enterprise, allowing you to focus on issues of most risk to you. 

Practical advice for securing DevOps: how to code securely without slowing down developers
As enterprises move towards DevOps, deployment cycles get squeezed.  How do you balance speed with security?  The two do not have to be mutually exclusive. In this session, we will share best practices from customers of market leading HPE Security Fortify. See how the best app sec programs deliver more secure code, faster.

2017 Hot Topics at Gartner

Gartner also has many sessions filled with content for security professionals. Some of the hot topics this year include privacy and data security, enabling safer cloud computing, risks and opportunities of the Internet of Things, data security and risk governance, and mobile security for digital business. HPE Security can help you navigate and leverage these topics to make you and your business successful.

Haven’t registered yet? Our customers and prospects can register here with promo code SECSP60 for a discounted full conference pass, courtesy of HPE Security! Looking forward to seeing you at the show.

The post Join HPE Security at the Gartner Security & Risk Management Summit appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/security/join-hpe-security-gartner-security-risk-management-summit/feed/ 0
Data Masking Addresses the Changing Threat and Compliance Landscape https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/ https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/#respond Thu, 18 May 2017 18:25:55 +0000 https://www.voltage.com/?p=16938 HPE Security – Data Security is pleased to be recognized in Gartner’s Market Guide for Data Masking, Published: 6 February 2017, Analyst(s): Marc-Antoine Meunier, Ayal Tirosh. As a leading visionary in the prior Magic Quadrant for Data Masking Technology, Worldwide, published: Dec 2015, underpinned by of our 10 year leadership in Format-Preserving Encryption technology that […]

The post Data Masking Addresses the Changing Threat and Compliance Landscape appeared first on HPE Security - Data Security.

]]>
HPE Security – Data Security is pleased to be recognized in Gartner’s Market Guide for Data Masking, Published: 6 February 2017, Analyst(s): Marc-Antoine Meunier, Ayal Tirosh. As a leading visionary in the prior Magic Quadrant for Data Masking Technology, Worldwide, published: Dec 2015, underpinned by of our 10 year leadership in Format-Preserving Encryption technology that is now a recognised NIST standard, we welcome the new guidance from Gartner analysts Meunier and Tirosh.

The Market Guide defines Data Masking as a technology aimed at preventing the abuse of sensitive data by providing users fictitious yet realistic data instead of real and sensitive data while maintaining their ability to carry out business processes. The Data Masking market has been growing steadily for years, and Meunier expects it to grow even more in 2017, and beyond in our opinion.

The market guidance is timely – new privacy regulations such as the General Data Protection Regulation (GDPR) put additional compliance cost pressure on enterprises around the world. Massive growth in data consumption that is powering the next generation of businesses has to be balanced with the risks of sophisticated attacks to sensitive personal data. The recommendation is to look beyond traditional static masking at the approaches such as those available in HPE SecureData, enabling organizations to build a hybrid data de-identification, pseudonymization, and production protection strategy. This strategy can span traditional databases, cloud, big data ecosystems, data warehouse and mission critical platforms through powerful, dynamic Format-Preserving Encryption that reduces risk, increases data utility, and simplifies compliance.

This important Market Guide comes on the heels of another Gartner publication, How Data Masking Is Evolving to Protect Data From Insiders and Outsiders, published: 28 November 2016, Analyst: Marc-Antoine Meunier. That report has specific recommendations for security and risk management leaders concerned with application and data security. The report advised that organizations should “consider using format-preserving encryption and tokenization. Together, they cover a broader spectrum of use cases and software life cycle phases.”

Format-preserving Encryption:

Format-preserving encryption (FPE) is an encryption technology that protects sensitive data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data (e.g., 9 digits for a social security number, 16 digits for a credit card number). Since no changes are needed in the data format, retrofitting to legacy applications is very simple and easy as opposed a conventional encryption that would change the data format and make the integration complex. FPE also preserves the context value, relationships and meaning, enabling business process and secure analytics.

Our HPE SecureData encryption product utilizes HPE FPE and secure stateless tokenization technologies that can be used to created masked data for use by developers in test and development to avoid the need for live data in testing. This powerful platform uses advanced HPE FPE technologies to transform live data into a neutralized, yet useful encrypted form that can still execute applications, and still be used in analytics – without unnecessary encryption which can lead to exposure and risk.

Security and risk management leaders should use data masking to desensitize or protect sensitive data, the market guide advises, and should address the changing threat and compliance landscape. In 2016, data breaches have, once again, demonstrated the growing importance of this technology market.

Key Findings:

The Market Guide for Data Masking lists these findings:

  • The evolution of threat and compliance environments continues to fuel demand for data masking (DM) solutions. This demand is further sustained by data growth within organizations and the expansion of data analytics use to drive the business.
  • Buyers are increasingly concerned with the risk of reidentification of masked data, especially in complex big data environments, and facing regulations such as GDPR, which require an assessment of that risk.
  • Data masking is available in an increasingly broad array of deployment options to address new and evolving data management and application architectures.

Recommendations

These are the recommendations from the Market Guide for security and risk management leaders responsible for data security and compliance:

  • Mitigate data risk and enable your organization’s digital business transformation by adopting data masking and complementary technologies such as format-preserving encryption and tokenization as a key strategy.
  • Achieve an effective and sustainable deidentification of sensitive data by assessing the reidentification risks throughout the life cycle of your data masking implementation, and favor vendors that offer tools and expertise to establish the reidentification risks.
  • Mitigate risk in applications where traditional DDM approaches have struggled by taking advantage of innovative DDM solutions at the data virtualization or alternative application tiers.

Use this link to read the full report: Market Guide for Data Masking.

The post Data Masking Addresses the Changing Threat and Compliance Landscape appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/fpe/data-masking-addresses-changing-threat-compliance-landscape/feed/ 0
Beyond the Red and Blue Pill – Maintaining Data Usability while Protected https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/ https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/#respond Thu, 11 May 2017 20:57:21 +0000 https://www.voltage.com/?p=16875 Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the […]

The post Beyond the Red and Blue Pill – Maintaining Data Usability while Protected appeared first on HPE Security - Data Security.

]]>
Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the harsh reality of the Matrix.

Now, if you’re a security administrator working with an application team or line of business owners, you may not realize that you offer your business a similar choice each day:

  • Do you encrypt sensitive data and leave it blissfully unusable, happy to remain at rest within your storage and servers, free from potential abuses? Or,
  • Do you make data available in the clear to applications within the harsh Matrix-like reality that exists in IT with the potential insider misuse and external threats to steal it?

In the Matrix, Agent Smith wants to attack your data, Neo!

Back in IT reality, it’s a tough call when weighing the trade-offs between business continuity and reliable access to data with the need to protect sensitive data. The “red pill” of open data usability must be considered as a risk trade-off with the “blue pill” of constant protection where one need not worry.

But what if I told you there was a Purple Pill compromise for usable data protection and it has a name? It’s format-preserving encryption and offers the best of both worlds—data usability with security.

Let’s stay in Wonderland and go further down the rabbit-hole with format-preserving encryption…

Traditional encryption forces a risk decision to encrypt or to leave data exposed in clear text. This creates gaps in security controls when data moves from at-rest, in-motion, to in-use. Instead, format-preserving encryption (FPE) maintains data in an encrypted state, while also making it useful to applications with limited or discretionary risk exposure. If data needs to be exposed for a particular use, it can be limited to specific elements of the data, such as partial masking of a phone number (think, XXX-XXX-3265). But how does FPE do it?

HPE SecureData’s FPE implementation, as an industry-leading example, are based on standardized AES encryption to protect data reliably, while keeping the format of the data unmodified. A social security number looks like one to a database without requiring schema modifications, and a date field will still look like a date to an application, and so on. At the same time, referential integrity is preserved for the data class, so Big Data analytics or database joins can be run on the encrypted data, just like normal, without an application choking on the operation.

This is a game changer when compared to traditional encryption that lacks this dynamic and is a differentiator that HPE can offer for today’s high-volume, data-intensive applications that act on protected information, without exposing unnecessary risks, such as Big Data data lake mining and IoT applications.

By addressing both utility and security, FPE doesn’t need to compromise on either aspect. Security is transformed from a business inhibitor to now the opposite—an accelerator of new initiatives while still mitigating risks. Encrypted data that retains its format looks and acts the same to applications, making it possible to avoid revealing it in clear text unless absolutely required for a specific use case.

Unleash the power of your data initiatives without the fear!

What a boring movie it would have been if Neo simply chose to live in harsh reality, but never needed to use his amazing bullet-time martial arts as a defense. He simply got on with his day without worries, while Mr. Smith gave up against a proven competitor. Now, any security administrator can be a hero to their line of business owners!

Consider today how your data can be afforded the same luxury using the data-centric approach of format-preserving encryption. If an authorized application requires data to be revealed, it would be a situational choice if required for that application, rather than a constant risk when data moves from storage, across the network and into various applications. To learn more about format-preserving encryption, products and solutions, swallow the purple pill and visit these links:

The post Beyond the Red and Blue Pill – Maintaining Data Usability while Protected appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/fpe/beyond-red-blue-pill-maintaining-data-usability-protected/feed/ 0
GDPR: Where do I start? https://www.voltage.com/gdpr/gdpr-where-do-i-start/ https://www.voltage.com/gdpr/gdpr-where-do-i-start/#respond Thu, 04 May 2017 22:12:32 +0000 https://www.voltage.com/?p=16797 As we engage with our customer base, awareness of General Data Protection Regulation (GDPR) is starting to grow. Most CISOs and CIOs are at least aware of the regulations (and the stiff penalties). They also are becoming aware that compliance with GDPR is about a year out, as the date for compliance is May 25, […]

The post GDPR: Where do I start? appeared first on HPE Security - Data Security.

]]>
As we engage with our customer base, awareness of General Data Protection Regulation (GDPR) is starting to grow. Most CISOs and CIOs are at least aware of the regulations (and the stiff penalties). They also are becoming aware that compliance with GDPR is about a year out, as the date for compliance is May 25, 2018.

Protecting personal data has always been an important issue in the European Union (EU), especially in the last 20 years. However, the new GDPR takes data protection to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes EU Citizens’ personal data. That means that any business that controls and/or processes personal data of EU citizens falls under the GDPR scope, whether or not that business is located in the EU. Even third-party data service providers or cloud service providers that process data for enterprises that control personal data could also be liable for GDPR penalties.

Got it. Now where do I start?

The GDPR is a long read with 99 articles in fairly dense regulatory text.  There are many stakeholders to satisfy, and it can be difficult to map the articles to IT use cases.  But most would agree, the #1 challenge is: how to get started.

Here’s how we can help. This week, Hewlett Packard Enterprise (HPE) Software announced the availability of a GDPR Starter Kit, which helps organizations take a critical first step in preparing for GDPR. This bundled set of software solutions assists organizations to automatically identify, classify, and take action to secure information that falls under this regulation.

There are many reasons getting started may be the greatest challenge for many organizations, for example, “data volumes often number in the billions of objects, timeframes are constrained, and determining what falls within these regulations can be cumbersome and complex,” said Joe Garber, vice president marketing, Information Management & Governance, HPE Software, in the press advisory. “The GDPR Starter Kit provides customers with an easily integrated solution set for assessing data, allowing them to take the first step in addressing data and risk management outlined in the regulation.”

The GDPR Starter Kit follows HPE’s earlier launch of a comprehensive GDPR solution portfolio, and aims to provide organizations with streamlined next steps on their paths to compliance.

GDPR Starter Kit Includes:

The GDPR Starter Kit combines world-class software, including HPE ControlPoint, HPE Structured Data Manager, HPE Content Manager and HPE SecureData in bundled solutions to help customers conduct a Personal Data Assessment and optionally encrypt data that is subject to these regulations. This unique combination of classification, information governance, and data security delivers a number of important benefits:

  • Automate assessment of structured and unstructured data, which alleviates a traditionally manual, error-prone process.
  • Quickly and cost effectively encrypt data to mitigate security breaches.
  • Take a critical step toward lifecycle and retention management to enable compliance with additional GDPR articles and corporate governance requirements.

Consulting firm PwC has just released a new GDPR-themed white paper titled, “Technology’s role in data protection – the missing link in GDPR transformation.” This new white paper is a great resource that echoes the Starter Kit’s theme of starting your GDPR journey by assessing your data.  The white paper provides a framework for practitioners and regulators on evaluating GDPR technology. At its most fundamental level, it is describing data management best practice in the context of the GDPR, something we advocate, too.

Learn more:

The post GDPR: Where do I start? appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/gdpr/gdpr-where-do-i-start/feed/ 0
At HPE, Strong AES FF1 Crypto and NIST Standards Matter https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/ https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/#respond Thu, 27 Apr 2017 22:58:50 +0000 https://www.voltage.com/?p=16771 What happened – what is the NIST announcement? On April 12th, 2017, the National Institute of Standards and Technology (NIST) announced a cryptanalytic attack on the AES FFX Format-preserving Encryption (FPE) mode FF3, and as a result, NIST may revise Special Publication 800-38G, the document that specifies approved AES FFX FPE modes. The good news […]

The post At HPE, Strong AES FF1 Crypto and NIST Standards Matter appeared first on HPE Security - Data Security.

]]>
What happened – what is the NIST announcement?

On April 12th, 2017, the National Institute of Standards and Technology (NIST) announced a cryptanalytic attack on the AES FFX Format-preserving Encryption (FPE) mode FF3, and as a result, NIST may revise Special Publication 800-38G, the document that specifies approved AES FFX FPE modes.

The good news is this announcement has no impact on HPE SecureData customers who use AES FFX Format-preserving Encryption mode FF1.

However, this announcement is disappointing news for vendors who have widely adopted and marketed the FF3 encryption mode for their FPE offerings.

This announcement is the result of research completed by Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne). In January 2017, the researchers gave a presentation at the ESC (Early Symmetric Crypto) 2017 Conference and their research will likely be published in the coming year. While they have identified a potential fix for the FF3 encryption mode, NIST has not yet determined whether it will restore the cryptographic strength of the FF3 encryption mode.

As a result of the identified weaknesses in the FF3 mode, NIST no longer considers FF3 a full-strength FPE mode. NIST expects to revise Special Publication 800-38G after the details of the attack are published, and a period of public comment completed – and states it will change the FF3 specification or withdraw the approval of FF3.

What does this mean to your business?

If you are currently using a Format-Preserving Encryption vendor solution with the FF3 encryption mode, the NIST announcement suggests that you may no longer be protected by an acceptable strength solution and may be vulnerable to attacks. NIST states it “has concluded that FF3 is no longer suitable as a general-purpose FPE method”. Moreover, you may risk noncompliance with various data security regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR). Furthermore, data privacy regulations and guidelines that follow or depend on NIST standards may consider similar actions based on the NIST announcement.

If you are on the cusp of an FPE vendor decision, due diligence with vendor claims is critical. With leading organizations demanding data-centric security, vendors have rushed to market with a range of proprietary solutions, or implementations of FF3 which now has an identified weakness. It’s critical when determining your data protection and privacy strategy to choose a standards-based validated and fully-approved solution. Standards matter for reliable security and audit compliance! This announcement is another example of why it is important to complete a peer review for independent validation of security assurance and proven solution strength.

If you are a SecureData customer, you know HPE FPE uses the NIST AES FF1 mode FPE standard. FF1 encryption was developed by world-leading cryptography experts . HPE is a pioneer of Format-preserving Encryption and submitted the core cryptography to NIST for the AES FF1 mode FPE standard. HPE’s AES FF1 is fundamentally different in design and in its ability to resist the classes of attack to which FF3 is now proven vulnerable.

FF1 features an algorithm with strong safety margins to protect against unanticipated analytic attacks and even defend against implementation flaws. This cryptanalytic attack on FF3 is the result of the class of threat that was anticipated by HPE when it designed FF1.

Gold standard: SecureData uses the industry’s first FIPS-validated FPE

This NIST announcement underscores the importance of HPE’s April 13, 2017 News Advisory on FIPS Validation of FPE. NIST awarded FIPS 140-2 validation ONLY to FF1 mode FPE. HPE SecureData has the world’s first FIPS-validated AES-FF1 encryption configuration option to operate in strict FIPS mode.

What can you do to recover if you rely on a vendor that uses FF3 as a solution to protect your data?

Any organization using Format-Preserving Encryption products with the FF3 mode, or non-validated proprietary technology without peer review, should re-evaluate their data protection strategy in light of these risks.

HPE SecureData with Hyper FPE and Hyper SST is used by many industry-leading corporations in the world to protect their most valuable data. This includes six of the top eight U.S. payment processors; nine of the top ten U.S. banks; and major global enterprises across the telecom, energy, finance, transportation, retail, insurance, high tech, public sector, and healthcare industries.

Contact HPE Security – Data Security to learn more about Hyper FPE with HPE SecureData.

The post At HPE, Strong AES FF1 Crypto and NIST Standards Matter appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/crypto/hpe-strong-aes-ff1-crypto-nist-standards-matter/feed/ 0
End-to-end Protection for Payment Data https://www.voltage.com/payments/end-end-protection-payment-data/ https://www.voltage.com/payments/end-end-protection-payment-data/#respond Thu, 27 Apr 2017 03:40:40 +0000 https://www.voltage.com/?p=16758 In today’s environment of heightened regulatory requirements and increasing risk of cardholder data breach, it is critical for merchants, payment processors, and acquirers to protect payment data anywhere it moves, anywhere it resides, and however it is used. In payment acceptance systems, including EMV (Europay, Mastercard and Visa) terminals, payment data is commonly left unprotected […]

The post End-to-end Protection for Payment Data appeared first on HPE Security - Data Security.

]]>
In today’s environment of heightened regulatory requirements and increasing risk of cardholder data breach, it is critical for merchants, payment processors, and acquirers to protect payment data anywhere it moves, anywhere it resides, and however it is used. In payment acceptance systems, including EMV (Europay, Mastercard and Visa) terminals, payment data is commonly left unprotected during the authorization and settlement processes. Payment data is also left unprotected during routine and necessary back-office business processes such as fraud screening, chargeback processing, and recurring payment processing. Traditional methods for protecting payment data are often inflexible, expensive, and difficult to implement.

HPE SecureData Payments securing sensitive data end-to-end
HPE SecureData Payments protects payment data at all points, from swipe/dip through to the payment processor, end-to-end. It eliminates the traditional complexities associated with payment device key injection, key management, payment application changes, and enables a true end-to-end architecture that can be rapidly deployed even in the most complex environments.

PCI Compliance Alignment
HPE SecureData Payments can reduce the cost of complying with PCI DSS—a direct result of reducing the number of changes necessary to implement payment data protection while eliminating payment data from databases and applications. By incorporating HPE Secure Stateless Tokenization with HPE SecureData Payments, service providers, merchants, and enterprises are able to secure back-end data, removing data from PCI audit scope while complying with the latest PCI DSS requirements for cardholder data protection. HPE Secure Stateless Tokenization maintains token schemes across regions with no communication between them, eliminating the need for a central key management database as well as database replication. By tokenizing card numbers immediately at the source, clear data is eliminated from the transaction process.

As providers move to point-to-point encryption (P2PE) validations, HPE SecureData Payments enables service providers to expand their reach by offering a complete P2PE v2 validated solution. With HPE SecureData Payments cardholder data is protected from the earliest point of entry in such a way that decryption keys are not available at POS devices or any other intermediate systems, significantly reducing potential attack areas. HPE SecureData Payments communicates with validated, authorized payment terminals sending secure payment transactions for processing to the back-end system. The back-end host incorporates an integrity check on the cryptographic functions, creating host logs based on crypto changes. This enables management and control of the complete system and payment transactions.

Innovation in cryptography provides end-to-end encryption without massive changes
HPE SecureData Payments is a complete payment transaction protection framework, built on two breakthrough technologies encompassing encryption and key management: HPE Format-Preserving Encryption (FPE) and HPE Identity-Based Encryption (IBE). These two technologies combine to provide a unique architecture that addresses the complexity of retail environments with high transaction volume.

HPE Format-Preserving Encryption
With HPE Format-Preserving Encryption (FPE), credit card numbers and other types of structured information are protected without the need to change the data format or structure. In addition, data properties are maintained, such as a checksum, and portions of the data can remain in the clear. This aids in preserving existing processes such as BIN routing or use of the last four digits of the card in customer service scenarios.

HPE Identity-Based Encryption
HPE Identity-Based Encryption (IBE) is a breakthrough in key management that eliminates the complexity of traditional Public Key Infrastructure (PKI) systems and symmetric key systems. In other words, no digital certificates or keys are required to be injected or synchronized. HPE IBE also enables end-to-end encryption from swipe-to-processor and swipe-to-trusted-merchant applications.

With point-of-sale (POS) solutions that use legacy symmetric encryption, encryption keys must be reset annually for each POS device through a process called key injection. This procedure is expensive and cumbersome, as merchants must take POS devices offline while new keys are injected. With HPE SecureData Payments, because encryption keys are securely generated on demand and not stored, POS devices are not subject to key injection and key rotation. This function happens systematically, eliminating labor-intensive key management processes and costs.

HPE SecureData Payments compatibility

  • Robust host side capabilities and broad platform support: HPE SecureData Payments Host SDK can be deployed on a wide variety of platforms including HPE NonStop, Windows®, Linux®, UNIX®, z/OS, and Stratus. HPE SecureData Payments is the only data protection solution available that natively runs on Nonstop (OSS and Guardium) and Stratus VOS, enabling maximum protection and efficiency.
  • Unified, complete end-to-end data security: HPE SecureData Payments enables merchants and service providers to protect their entire payment stream and reduce PCI audit scope from the end-user to back-end systems by offering a variety data protection needs for m-commerce (in-app) payment data (mobile), e-commerce/in-browser payment data, device-based encryption of payments data (P2PE), and protect PCI data stored for post-authorization needs.
  • Stateless key management: HPE SecureData Payments does not require digital certificates or keys to be injected or synchronized with the host. Because encryption keys are securely generated on demand, POS devices sufficiently protect card data without the need for key injection or key rotation, which can be labor-intensive and expensive to administer.
  • Integrated with an industry-leading pioneer: HPE SecureData Payments is the only off-the-shelf integrated solution with a PCI-HSM and FIPS validated secure root of trust (HPE Atalla HSM) to protect payment data, payment authorization and fraud prevention. The integrated solution extends end-to-end data protection through the combined, integrated solutions of HPE SecureData Payments and HPE Atalla Hardware Security Module (HSM). By joining data-centric data protection with a tamper-reactive hardware security module, companies are able to neutralize data breaches by protecting data, rendering it useless to attackers.
  • Multiple integration options: Processors and merchants can choose to integrate using SDKs, Web services, and/or command line tools for quick and simple deployment. End-to-end encryption can easily be combined with HPE Secure Stateless Tokenization (SST) to provide merchants with a complete solution for PCI audit scope by protecting data stored for post-authorization needs.
  • Integrated POS systems: HPE SecureData Payments solution is integrated into a variety of payment terminal devices and platforms, giving organizations the flexibility to select one or more payment vendor(s) for the required business needs. For a complete list of payment partners, visit com/partners.
  • Scalability and performance: Flexible, scalable architecture that handles quickly scales eliminating the need for merchants to self-manage payment transactions. The platform delivers complete control over end-to-end payment security stream for the omni-channel business requirements.

How secure is secure?
To ensure compliance with PCI DSS best practices and requirements, Coalfire, a well-known cyber risk management and compliance organization, conducted independent technical assessments of HPE SecureData Payments to verify HPE SecureData Payments meets the current PCI DSS standards.

End-to-End Data Security for the Payments-driven Market
HPE SecureData Payments is part of the HPE SecureData portfolio for protecting sensitive data in-motion, in-transit and at-rest. HPE SecureData Payments is a complete payment transaction protection framework built on a flexible and highly scalable architecture, including a common back-end infrastructure that protects system and device payment transactions for ecommerce (mcommerce), mobile payments, card on file (CNP) and the associated PII payment stream data.

Protect the full payment stream—more than just the credit card number—and the associated PII payment stream information, including payment data from POS devices, terminals, browsers and mobile devices. By incorporating data-centric endpoint protection with HPE SecureData Web and HPE SecureData Mobile, enterprises and service providers are able to protect the full payment lifecycle.

The post End-to-end Protection for Payment Data appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/payments/end-end-protection-payment-data/feed/ 0
How does a payment data breach occur through an e-commerce site? https://www.voltage.com/payments/payment-data-breach-occur-e-commerce-site/ https://www.voltage.com/payments/payment-data-breach-occur-e-commerce-site/#respond Thu, 20 Apr 2017 21:38:37 +0000 https://www.voltage.com/?p=16735 According to Identity Theft Resource Center (ITRC), the majority of data breaches in 2016 was due to hacking/skimming/phishing (29.5%). Data types that were siphoned off were mostly personally identifiable information (PII) such as social security numbers (SSN), names, and date of birth, as well as sensitive payment data. Data breaches have become regular news in […]

The post How does a payment data breach occur through an e-commerce site? appeared first on HPE Security - Data Security.

]]>
According to Identity Theft Resource Center (ITRC), the majority of data breaches in 2016 was due to hacking/skimming/phishing (29.5%). Data types that were siphoned off were mostly personally identifiable information (PII) such as social security numbers (SSN), names, and date of birth, as well as sensitive payment data. Data breaches have become regular news in the security world, and it is not a matter of if an organization will suffer a data breach but when.

The latest victim was Gamestop.com who was targeted by hackers via their website. Sensitive credit card information was stolen as well as PII customer data. Brian Krebs mentioned on his security website that “based on a few sources, Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.” It can’t be a coincidence that this breach occurred during the busy holiday shopping season. He also mentioned that in addition to the names and addresses taken, the hackers took credit card numbers with expiration dates, and the card verification number (CVC2/CVV2, the three digit security number).

How do these breaches occur?

One way is that hackers siphon these types of data sets from the merchant’s website by placing malicious software (or malware) into their e-commerce site, so the data is taken when the customer enters the data and before it reaches the business’s back-end web servers.

You might think, how does this happen? If you are security savvy, you would think that the business must have used a secure transport channel such as Secure Sockets Layer (SSL) / Transport Layer Security (TLS), or more commonly known as SSL/TLS, which is the standard security measure that any organization would have implemented. It is imperative for enterprises to understand that while businesses may use standard secure transport channels, it is just not enough to protect the data.

Security layers such as SSL/TLS are cryptographic protocols that provide communications security through a network. However, what is important in this context is that while they do provide the secure transport tunnel for data to flow through, it is only from one point to another. Once the data reaches the other side(application/server/load balancer) that data gets decrypted and is in clear text as it transverses the infrastructure, ripe for the taking. Also, while SSL/TLS does provide the security for the data on the move, it is also not completely foolproof since there have been quite a few vulnerabilities that have been reported.

What can be done?

How can businesses mitigate these data breaches? Data-centric security is the right strategy to ensure that the data is secure when entered in the source (web browser/mobile or any other application). Data needs to be secured through its complete flow, both in-motion and at-rest. The best approach for data protection is to encrypt the data when in-motion and tokenize when at-rest. This way, in the event of a breach, the data is encrypted and therefore useless to the hackers.

Format-Preserving Encryption (FPE) is a security algorithm that has a way of encrypting data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data. FPE is based on strong FFX or Feistal-based encryption modes. FF1 is NIST approved encryption standards that is derived from AES 128-bit block algorithm.

HPE SecureData Web and HPE SecureData Mobile are based on FPE data-centric technology and the patented HPE Page-Integrated Encryption (PIE). PIE encrypts the sensitive payment data using a random key generated by the back-end server that is loaded through a JavaScript at the merchant payment browser or through native mobile OS (iOS and Android) libraries integrated into the merchant mobile application. This enables end-to-end data protection from the source end-point of the application until it reaches the trusted back-end host. This could be combined with a Hardware Security Module (HSM) to ensure maximum secure root of trust.

HPE SecureData Web and HPE SecureData Mobile have been technically assessed by Coalfire Systems Inc. as a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA) with respect PCI DSS 3.2. Based on their assessment these solutions provide approximately 70% – 94% PCI scope reduction depending upon a properly designed and deployed solution. The best part of this solution is that encryption occurs transparent to the user (consumer), hence not changing the consumer shopping experience in anyway. Merchants could host this solution to help gain PCI scope reduction as well as enabling flexibility without tying them to a specific payment gateway, therefore having more control over their security.

In conclusion, we understand data security is a complex challenge and it is hard to know if you are following the right security strategy to protect your enterprise, data and business. We at HPE Security – Data Security understand the challenges associated and have solutions to help you and your enterprise. Adoption of data-centric security helps you by enabling mitigation against a potential data breach and also providing PCI scope reduction. Your name in public should be associated with growth rather than a breach.

The post How does a payment data breach occur through an e-commerce site? appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/payments/payment-data-breach-occur-e-commerce-site/feed/ 0
Protecting Data in the Federal Government https://www.voltage.com/government/protecting-data-federal-government/ https://www.voltage.com/government/protecting-data-federal-government/#respond Wed, 12 Apr 2017 21:57:07 +0000 https://www.voltage.com/?p=16675 Our world runs on data. From consumer information (health files, banking and financial data, education records, and more) to research findings and classified national security information, we generate an ever-increasing volume of critical, sensitive data. Criminals target much of this information, and cyber-attacks against enterprises and governments globally continue to grow in frequency and severity. […]

The post Protecting Data in the Federal Government appeared first on HPE Security - Data Security.

]]>
Our world runs on data. From consumer information (health files, banking and financial data, education records, and more) to research findings and classified national security information, we generate an ever-increasing volume of critical, sensitive data. Criminals target much of this information, and cyber-attacks against enterprises and governments globally continue to grow in frequency and severity.

The government challenges
Government customers have some of the same challenges faced by private sector corporations, including:

  • The exponential growth of high-value and personally identifiable information from citizens, employees, and anyone with any business with the government.
  • The difficulty of adding security to legacy applications and platforms with limited native data security options.
  • Gaps in data protection from the over-reliance on data-at-rest, network and endpoint security.
  • The need to leverage rich data for analytics and share data between agencies and with contractors.
  • Compliance with privacy and data protection legislation such as GDPR, HIPPA.
  • The need to adopt innovations such as cloud and IoT.

In addition, governments have to deal with unique challenges, such as espionage, well-funded attacks by nation-states and insider leakage that compound the threat environment and make government challenges even more demanding and urgent.

HPE SecureData provides an end-to-end data-centric approach to enterprise data protection. It is the only comprehensive data protection platform that enables you to protect data over its entire lifecycle—from the point at which it’s captured, throughout its movement across your extended enterprise, all without exposing live information to high-risk, high-threat environments.

HPE SecureData includes next generation technologies, Hyper Format-Preserving Encryption (FPE), Hyper Secure Stateless Tokenization (SST), HPE Stateless Key Management, and data masking.

A comprehensive approach to end-to-end encryption
HPE SecureData with Hyper FPE has the ability to “de-identify” virtually unlimited data types, from sensitive personally identifiable information (PII), to IDs, health information or classified data, rendering it useless to attackers in the event of a security breach. This allows government agencies to securely leverage the de-identified data for big-data analytics, and collaborate with shared data between other agencies or contractors. It also provides accelerated encryption speeds that enables government agencies to adopt new technologies such as the cloud or Hadoop or invest in innovations such as IoT, all while lowering the risk of disclosing sensitive personal data or compromising high value data.

A major challenge faced by federal agencies, including those attacked by nation state adversaries, is the dependency on legacy applications and platforms with limited native data security options. HPE SecureData helps build data security into both new and decades-old legacy applications, de-identifying high-value data classes; for example, protecting classified information, or eliminating reliance on using Social Security Numbers for business processes. Security assurance is increased, while unleashing utility of data for secure adoption of big data analytics, Hadoop and other new applications and solutions.

HPE SecureData is the first data protection platform to earn FIPS 140-2 validation of its Format-Preserving Encryption (FPE) technology under the new National Institute of Standards and Technology’s (NIST) AES FFX Format-Preserving Encryption (FPE) mode standard. This enables public sector customers, when operating in strict FIPS mode, to take advantage of true FIPS-validated cryptography and build compliance programs for regulations such as the Cybersecurity Act of 2015 data security requirements, DFARS CUI, and General Data Protection Regulations (GDPR).

With the HPE SecureData FIPS validation, government agencies and contractors can now use a standardized data security product with extensive enterprise deployments, neutralizing data breaches while liberating analytics and innovation.

Hyper FPE: encryption and masking—how we do it
Traditional encryption approaches, such as AES CBC have enormous impact on data structures, schemas, and applications as shown in Figure 1. Hyper FPE is NIST-standard using FF1 mode of the Advanced Encryption Standard (AES) algorithm, which encrypts sensitive data while preserving its original format without sacrificing encryption strength. Structured data, such as Social Security, Tax ID, credit card, account, date of birth, salary fields, or email addresses can be encrypted in place.

Traditional encryption methods significantly alter the original format of data. For example, a 16-digit credit card number encrypted with AES produces a long alphanumeric string. As a result, database schema changes are required to facilitate this incompatible format. Hyper FPE maintains the format of the data being encrypted so no database schema changes and minimal application changes are required—in many cases only the trusted applications that need to see the clear data need a single line of code. Tools for bulk encryption facilitate rapid de-identification of large amounts of sensitive data in files and databases. Typically, whole systems can be rapidly protected in just days at a significantly reduced cost. In fact, Hyper FPE allows accelerated encryption performance aligning to the high volume needs of next generation Big Data, cloud and Internet of Things, and supports virtually unlimited data types.

Hyper FPE de-identifies production data and creates structurally valid test data so developers or users can perform QA or conduct data analysis—all without exposing sensitive data. The HPE SecureData management console enables easy control of policy and provides audit capabilities across the data life cycle—even across thousands of systems protected by HPE SecureData. Hyper FPE also provides the option to integrate access policy information in the cipher text, providing true data-centric protection where the data policy travels with the data itself.

HPE Stateless Key Management: transparent, dynamic
HPE Stateless Key Management securely derives keys on the fly as required by an application, once that application and its users have been properly authenticated and authorized against a centrally managed policy. Advanced policy controlled caching maximizes performance. HPE Stateless Key Management reduces IT costs and eases the administrative burden by:

  • Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes required to protect the database continuously or the need to replicate or backup keys from site to site.
  • Easily recovering archived data because keys can always be recovered.
  • Automating supervisory or legal e-discovery requirements through simple application APIs, both native and via web services.
  • Maximizing the re-use of access policy infrastructure by integrating easily with identity and access management frameworks and dynamically enforcing data-level access to data fields or partial fields, by policy, as roles change.

Hyper SST (Secure Stateless Tokenization)
Hyper SST is an advanced, patented, data security solution that provides enterprises, merchants, and payment processors with a new approach to help assure protection for payment card data. Hyper SST is offered as part of the HPE SecureData platform that unites market-leading encryption, tokenization, data masking, and key management to protect sensitive information in a single comprehensive solution.

Hyper SST is “stateless” because it eliminates the token database, which is central to other tokenization solutions, and removes the need for storage of cardholder or other sensitive data. Hyper SST uses a set of static, pre-generated tables containing random numbers created using a FIPS random number generator. These static tables reside on virtual “appliances”—commodity servers—and are used to consistently produce a unique, random token for each clear text Primary Account Number (PAN) input, resulting in a token that has no relationship to the original PAN. No token database is required with Hyper SST, thus improving the speed, scalability, security, and manageability of the tokenization process. In fact, Hyper SST effectively surpasses the existing “high-octane” SST tokenization performance.

Find out more about our solutions for Government entities at our new website:

The post Protecting Data in the Federal Government appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/government/protecting-data-federal-government/feed/ 0
Data security and the GDPR https://www.voltage.com/gdpr/data-security-gdpr/ https://www.voltage.com/gdpr/data-security-gdpr/#respond Thu, 06 Apr 2017 22:18:31 +0000 https://www.voltage.com/?p=16658 The European Union (EU) General Data Protection Regulation (GDPR) is the most significant development in data privacy in decades. Its aim is to protect EU citizens from privacy and data breaches. The regulation comes into effect on 25 May 2018 and imposes heavy fines—up to 4% of annual revenue—on organizations for noncompliance. While the GDPR […]

The post Data security and the GDPR appeared first on HPE Security - Data Security.

]]>
The European Union (EU) General Data Protection Regulation (GDPR) is the most significant development in data privacy in decades. Its aim is to protect EU citizens from privacy and data breaches. The regulation comes into effect on 25 May 2018 and imposes heavy fines—up to 4% of annual revenue—on organizations for noncompliance.

While the GDPR mandates a number of measures to protect EU citizen data, achieving compliance in large measure comes down to good data security. The GDPR recommends pseudonymization and encryption as two mechanisms that can be used to protect personally identifiable information (PII).

Our new technical white paper titled “Example Architectures for Data Security and the GDPR” presents use cases for application of pseudonymization and encryption to protect data. The paper also provides an overview of the HPE SecureData core technologies and platform, and then describes architectures and strategies adopted by two of HPE’s customers to secure PII data.

Pseudonymization and encryption: What’s the difference? 

The GDPR specifically calls out the use of pseudonymization and encryption mechanisms as acceptable means for protecting data, but what do these two terms mean? The white paper explains that pseudonymization is often used as a general term that can apply to various techniques for data de-identification when the pseudonym or surrogate data can be used in business processes. Field-level encryption and tokenization are both examples of pseudonymization.

The GDPR is careful not to prescribe specific forms of encryption or pseudonymization. Legacy encryption methods can render data unrecognizable and break business processes. However, GDPR calls out two important encryption features: the ability to decrypt the data when necessary and the ability to continue to run business processes on the encrypted data. HPE Format-Preserving Encryption (HPE FPE) exceeds these guidelines at enterprise scale.

What are the Use cases for pseudonymization and encryption?

The white paper outlines four use cases. The first is “Secure analytics.” Secure analytics can be used for data warehouses, Big Data and Hadoop: Organizations are constantly collecting and storing sensitive data, such as name, address, phone number and account numbers. Obtaining a return on investment requires opening up the data to data scientists for analysis. However, expanding access to sensitive data exposes the organization to the risk of data breaches through insider theft, data mishandling, or the security of a third-party. Using HPE FPE protected data in these platforms enables organizations to perform analytics on de-identified data and thus provide access to the data in its protected form for analytics and insights. This approach helps to reduce the risk of data breaches and can keep the enterprise in compliance with regulations such as GDPR, and help achieve great ROI on the Hadoop investment.

Migration to the cloud is the second use case: For sensitive corporate and customer data such as medical or financial data, adopting new cloud capabilities imposes unique challenges, business risks, and compliance complications due to the nature of cloud architecture. Replacing identifiable data with an encrypted value narrows possible exposure of sensitive data and can greatly reduce audit scope and compliance costs.

The third use case is protecting data in live production systems: Field-level data protection technologies ensure that attackers do not have access to real PII when these security controls are inevitably breached. Only selected applications and users that have been authenticated and authorized have access to decrypt data for use, in real time. Other applications operate with HPE FPE encrypted data to decrease the attack surface for retrieving sensitive PII data within an enterprise’s infrastructure, lowering the organization’s risk.

The fourth use case the paper describes is development and test systems: When data is copied from production databases and used directly, large volumes of private data accumulate on unprotected servers and workstations, exposing the enterprise to needless risk. An alarming number of data breaches, along with regulatory compliance requirements such as GDPR, highlight the need to de-identify sensitive data when moving from production to test, development, and training environments. Passing encrypted data into these systems helps to protect sensitive data against loss and theft while providing businesses with the agility required in their application development process.

Technology considerations

The paper also discusses two technology considerations for encryption and pseudonymization, HPE Format-Preserving Encryption and HPE Stateless Key Management. HPE FPE encrypts virtually unlimited data types, preserving format, relationships, context, meaning and fits to legacy systems while  minimizing the need to decrypt, thus increasing security while ensuring data utility.

As organizations protect multiple applications and sensitive PII data types with encryption, they face increasing challenges with scaling their key management systems. Unlike legacy key management solutions that require complex replication and scaling architectures, HPE Stateless Key Management enables on-demand key generation and re-generation without an ever-growing key store. The result is a system that is extremely well suited to Hadoop and Big Data use cases as it can be infinitely scaled across distributed physical and logical locations with no additional overhead.

Architectural examples:

The white paper concludes with by presenting two real world examples. The first is a large European telco company that collects massive data sets from its mobile subscribers in a number of European countries. The telco expects to process over 11 billion records daily.

Their business need was to protect massive data sets which included PII data, comply with local data residency laws from multiple countries and GDPR, and apply encryption while retaining the ability to analyze the data to detect access fraud, gain user pattern insights, and debug network fault scenarios.

The second example is of Global card brand. Research suggested they could realize a huge cost savings by moving data to the cloud. However, moving data in the clear to the cloud would introduce a number of risks including the possibility of a data breach, data jurisdiction challenges, and potential breach of compliance with regulations including GDPR.

Their business need was support for a large-scale hybrid infrastructure with a mix of legacy, enterprise, and cloud platforms and to protect data immediately from specific applications as they are moved to the cloud. The solution would also need to scale to protect billions of instances of PII data across hundreds of applications collecting, storing, and processing PII data.

The paper describes the unique solution and benefits maintained by these two real-world customers. To read more, download the full white paper, “Example Architectures for Data Security and the GDPR.”

The post Data security and the GDPR appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/gdpr/data-security-gdpr/feed/ 0
Beyond NonStop Encryption https://www.voltage.com/encryption/beyond-nonstop-encryption/ https://www.voltage.com/encryption/beyond-nonstop-encryption/#respond Thu, 30 Mar 2017 22:01:08 +0000 https://www.voltage.com/?p=16647 In the world of NonStop, we may take for granted as truth that high availability matters. But so does scalability—and that includes the ability to scale protection of data at-rest beyond NonStop to include the broader enterprise storage ecosystem where data may be in motion and in use. Because if data isn’t protected and trusted, […]

The post Beyond NonStop Encryption appeared first on HPE Security - Data Security.

]]>
In the world of NonStop, we may take for granted as truth that high availability matters. But so does scalability—and that includes the ability to scale protection of data at-rest beyond NonStop to include the broader enterprise storage ecosystem where data may be in motion and in use. Because if data isn’t protected and trusted, does it matter if it’s always available to your applications? Probably not.

The reality is, your sensitive, mission-critical data not only sits at-rest in NonStop, but may be accessed, used or stored throughout interrelated applications and systems where value is added or can be taken away if that data is compromised. How do you know if data was kept safe while outside of the NonStop environment? What if it was compromised and returns in an untrusted state? Effectively, the information’s value needs to be protected both inside and outside of NonStop as it is used and transformed in order to maintain complete information lifecycle integrity.

Today, the server itself is no longer a reliable border control, as sensitive data moves throughout its lifecycle. Whether at-rest in archives, nearline storage, or somewhere in-between with applications, it’s critical to take a holistic approach to how that data is governed. Minimizing risk exposure from data misuse or attack means closing gaps in protection and control. No system administrator wants to tell an auditor that their NonStop data was encrypted and presumably safe from a security breach, but something strange happened on its way to and from another system, application or archive. And with today’s hybrid infrastructure, there’s even more risk exposure if relying on cloud applications and storage that IT teams must address by considering information risks beyond purely NonStop.

So, How Do I Get There?
There is good news. For years NonStop users have trusted and relied upon HPE Enterprise Secure Key Manager (ESKM) to centrally control encryption by interfacing with NonStop Cluster I/O Modules (CLIMs) to enable volume level encryption. Based on a centralized approach to automate key management, HPE ESKM helps simplify security policy and auditing by protecting encrypted data at-rest on NonStop systems, while encryption keys are separated, centrally-located and kept safe within the HPE ESKM high-assurance security appliance.

But did you know that the HPE ESKM appliances you may already have in place can also control encryption outside of proprietary NonStop systems? Let’s discuss this aspect a bit further…

HPE ESKM today can simply plug key management into existing NonStop systems, but it was designed for much more, and IT administrators may only be touching the tip of the iceberg, when only managing a single NonStop application. HPE ESKM supports the OASIS Key Management Interoperability Protocol (KMIP) standard, which means it can easily extend encryption key management across many more infrastructure systems that are KMIP-compatible. This consistent management framework supports security officers and compliance teams for enabling enterprise-wide, global, security policy.

Much like a standard way of plugging toasters and lamps into the same type of power socket, HPE ESKM allows storage, servers, hybrid cloud systems, networked devices and more to plug into it for key management by using KMIP as the common key management language. Not only is this a great message to tell the CISO that you can now extend data protection with the same HPE ESKM appliances already running operationally, but the business can quickly realize increased ROI and the consistency of a single pane of glass approach to managing data security risk that meets compliance mandates with an existing solution.

But Hold on a Sec—What if my IT Systems Can’t Support Native Data Encryption?
What good is a centralized key management system without the encryption? KMIP is the “glue” that can enable HPE ESKM to plug into virtually any storage or server system, but it assumes those systems are encryption-ready and can communicate using the same language. Fortunately, HPE maintains the largest IT vendor supported ecosystem of encryption-ready storage and server infrastructure products today.

The same key management that automates security controls for NonStop can now easily be extended for StoreEver tape libraries or 3PAR disk storage, or ProLiant servers, and even Connected MX cloud-based backup at the desktop level. The list goes on. HPE ESKM can help break down silos of encryption and simplify how security is deployed across extended storage and sever estates with a unified approach. However, those systems need to support encryption, such as self-encrypting drives, LTO tape, controller-based encryption, and so on. Or do they?

HPE recently introduced a new HPE ESKM encryption solution with Bloombase called StoreSafe that can transparently encrypt data moving over standard storage network protocols (Fibre Channel, iSCSI, NFS, CIFS, REST, etc.) and using a proxy-based approach, before data is written to storage. By encrypting on the fly using standard network protocols, StoreSafe extends data encryption to IT infrastructure beyond NonStop, even to legacy and proprietary systems that are not capable of native encryption. And by using KMIP, StoreSafe centrally manages its encryption keys using HPE ESKM, separate from the data and encryption runtime, for greater security assurance.

So what are the benefits? When no native encryption capability is present with the IT system, StoreSafe addresses this using an encryption proxy approach. In addition, StoreSafe can support proprietary systems where vendors don’t allow open interoperability. The combination of HPE ESKM plus StoreSafe is similar to NonStop CLIM integration, however with these differences:

  • StoreSafe uses standard storage protocols for encryption interoperability to protect data in-line between applications and target storage systems, while managing keys with HPE ESKM using KMIP
  • Legacy storage systems that don’t already have native encryption capabilities can proxy the encryption with StoreSafe prior to writing the data at-rest, and
  • Proprietary systems that force users into adopting locked-in approaches can be circumvented with StoreSafe and HPE ESKM as a standards-based offering.

Designed for NonStop, built for extensibility
Offering standards-based solutions for NonStop means existing investments in key management using HPE ESKM can now be extended for wider protection of data across IT systems, without compromising a unified approach to security policy enforcement and auditing. NonStop users need to think outside the server box by addressing today’s threats holistically, as information moves throughout the organization and must remain trusted at every step.

Using an existing HPE ESKM deployment to enable encryption across additional storage and servers, and using StoreSafe to address legacy and proprietary IT systems, helps ensure the same controls over NonStop data can now apply universally. IT administrators, already comfortable managing encryption for NonStop, will find that extending HPE ESKM to new encryption applications comes easily with the ability to segregate applications to use specific pools of keys, providing reliable separation as required.

And yet, this is not the end of the story. HPE ESKM key management, while easy to plug in to your storage and server systems, can also operate alongside the HPE SecureData encryption solution for key management at the application layer for a data-centric approach that provides multi-layered protection, no matter if data is in use, in flight or at-rest. The combination of infrastructure, application and data-centric solutions delivers comprehensive protection for the NonStop environment and beyond.

What’s Next?
If you already have HPE ESKM key management deployed with NonStop using Clustered I/O volume-level encryption, you may have what you need to now test encryption across similar HPE and ESKM partner ecosystem storage and server applications. Just be sure to check if they support KMIP interoperability for key management. If you do not have HPE ESKM, your HPE rep can provide a demonstration of NonStop encryption and key management to offer an overview of how easy it is to enable data protection.

Don’t be the next hacker statistic by allowing your trusted NonStop data to become another news headline when IT systems that use that data across the organization remain unprotected and at risk of a data breach. HPE ESKM and the ecosystem of HPE Security – Data Security solutions can help your data at-rest “rest assured” and protected with an extensible approach to protecting sensitive data that maximizes your security investment.

This article first appeared in Jan/Feb 2017 issue of The Connection magazine, for the HPE NonStop audience.

The post Beyond NonStop Encryption appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/encryption/beyond-nonstop-encryption/feed/ 0
Payment Compliance Does not Always Equal Security https://www.voltage.com/payments/payment-compliance-not-always-equal-security/ https://www.voltage.com/payments/payment-compliance-not-always-equal-security/#respond Thu, 23 Mar 2017 22:23:52 +0000 https://www.voltage.com/?p=16629 Payment data breaches still make big headlines. I have lost count of how many times in the last two years I have had to change my credit card because it was marked as being compromised. Why does that keep happening? The answer is how much your payment processor believes that compliance equals data security. Does […]

The post Payment Compliance Does not Always Equal Security appeared first on HPE Security - Data Security.

]]>
Payment data breaches still make big headlines. I have lost count of how many times in the last two years I have had to change my credit card because it was marked as being compromised. Why does that keep happening? The answer is how much your payment processor believes that compliance equals data security.

Does Compliance equal Security?

There are a number of regulations that payment processing companies must comply with on an ongoing basis, such as PCI DSS (Payment Card Industry Data Security Standard) and EMV, to the emerging regulation of GDPR (General Data Protection Regulation). But at the end of the day, regulations and audit compliance are just a start, and might not offer full data protection. Just ask any company that has experienced a data security breach. Almost all of them were compliant with the current standards until they were breached. Heartland Payment Systems is one such example. In 2008, Heartland suffered, at the time, one of the largest breaches in the world.

Founded in 1997, Heartland Payment Systems is a Fortune 1000 U.S.-based payment processing and technology provider, serving small and medium merchants and large enterprises. The company recently merged with Global Payments Systems, a leading worldwide provider of payment technology services that allow its customers to accept all payment types across a variety of distribution channels in many markets around the world. Bob Carr was the then-CEO of heartland when he received the call at the end of 2008 detailing the worst thing a payments company can hear – news of data breach.

Why was data left unprotected?

Security experts estimated that as many as 100 million cards issued by more than 650 financial services companies might have been compromised in the 2008 breach. Heartland had deployed encryption throughout their systems, however, to determine the next point for the data to travel, they had to decrypt the data and read it in clear text, which left the data vulnerable. This left their security environment with many air-gaps. Hackers exploited the encryption gap with a SQL injection attack that siphoned off credit and debit card numbers.

After the breach, Heartland vetted many solutions and reached the conclusion that a data-centric solution was the best option for their infrastructure.  Heartland deployed our HPE SecureData Payments. HPE SecureData Payments solution provided a true end-to-end data protection payments solution that protected data from the card swipe/dip through to Heartland’s back-end systems. The solution is designed to safeguard cardholder data throughout the lifecycle of the payments transactions, enabling Heartland to use end-to-end encryption across all its transaction processing systems.

The ability to leverage cutting edge technologies such as HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST), enabled Heartland to protect the data at-capture and keep it protected throughout its lifecycle. There is no longer a need to decrypt it to determine where it goes next. Card-holder data ends up staying in its protected state.

HPE FPE makes sure credit and debit card numbers are never exposed while retaining their format so merchants were not forced to change any of their systems or processes. Another benefit was greatly reduced PCI assessment cost and audit time for Heartland’s customers by protecting point of sale (POS) systems from audit scope.

Unlike his counterparts who tend to stay off the record on security breaches, Bob Carr has gone public with Heartland’s story to encourage companies to share information about attacks and band together against cybercriminals who themselves are becoming more sophisticated.

Here him in his own words:

Video interview featuring Bob Carr – founder of Heartland Payment Systems.

The post Payment Compliance Does not Always Equal Security appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/payments/payment-compliance-not-always-equal-security/feed/ 0
Data Security at HPE Government Summit https://www.voltage.com/government/data-security-hpe-government-summit/ https://www.voltage.com/government/data-security-hpe-government-summit/#respond Thu, 16 Mar 2017 20:00:11 +0000 https://www.voltage.com/?p=16544 March is here, spring is in the air, and it’s time for Hewlett Packard Enterprise Software Government Summit 2017, taking place in Washington DC Wednesday, March 22. The Government Summit is the premier US government technology showcase of the year. Government entities, much like their business counter parts, are starting to recognize that Cloud adoption, […]

The post Data Security at HPE Government Summit appeared first on HPE Security - Data Security.

]]>
March is here, spring is in the air, and it’s time for Hewlett Packard Enterprise Software Government Summit 2017, taking place in Washington DC Wednesday, March 22. The Government Summit is the premier US government technology showcase of the year. Government entities, much like their business counter parts, are starting to recognize that Cloud adoption, bolstered security, harnessing Big Data and delivering mobile services are essential to modern service delivery. Attendees of the Government Summit can hear about real-life experiences from successful agencies using IT to propel their businesses further, faster.

Even though this is a one day event, it is a stacked agenda. The Government Summit is divided into six tracks. The first track centers on using IoT, Big Data Analytics and Information Management to course-correct and continually improve Federal “Digital First” initiatives. The second track discusses enhancing Federal software security assurance in the age of DevOps, Mobile, IoT and Cloud. The third track features the power of Security Data Analytics. Track four keys on protecting Government Business Initiatives and how to meet the Cybersecurity Act of 2015. Track five highlights accelerating the shift to DevOps in support of secure innovation on a government budget. The last track is about balancing innovation and risk against data center consolidation and “Cloudfirst” mandates with Hybrid Cloud.

That is a great line up, however it is track four that is near and dear to Data Security’s heart, in that it talks about protecting an entities’ most valuable asset, the data. Just like their enterprise counterparts, Government agencies need to protect sensitive Personal Information (PII), and other high value data (classified) from data breaches and insider threat in their existing systems. The challenge is to achieve protection but still allow inter-agency sharing, big data analytics, cloud and innovations to grow. This challenge can be met with the best practice of using data-centric security.

Government entities need Data-centric Security

Federal and state government agencies disclosed a total of 203 data breaches between 2010 and 2016. Attackers include nation-states, activists, for-profit hackers and malicious insiders. Perimeter security is unable to stop them, especially malicious insiders, which by definition are already inside the network. Point solutions that protect data in a disk, or application, are just as ineffective, because they cannot protect data in-motion or when it is used.

A data-centric approach to security allows companies or Government agencies to mitigate the risks from cyberattacks, such as advanced malware, insider threats, and other attempts to get sensitive information. Data-centric Security works by encrypting all sensitive data as it enters a system. This encryption stays with the data whether at-rest, in-motion or in-use, and in-motion as it moves in and out of the cloud, not just where it is stored. This way, if an attacker accesses the data, they get nothing of value. The ability to neutralize a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards-based keyed hashing.

Data-centric security utilizes technology such as format-preserving encryption (FPE), a data protection algorithm that has a way of encrypting data by preserving the data format. It transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data. Since there is no change in the data format, retrofitting to legacy applications is very simple and easy rather than a conventional encryption that would change the data format. FPE is based on strong FFX or Feistal-based encryption modes. The “X” in FFX indicates the flexibility to instantiate the framework with different parameter sets. FPE is a NIST-approved encryption standard that is derived from AES 128-bit block algorithm.

With FPE, sensitive data and even communication protocols can be encrypted, without breaking application frameworks, and while retaining the usability of the actual data for analytics and business intelligence, without requiring decryption. The value of data-centric security controls enables organizations to protect valuable data assets and enable data-rich analytic insight without risk.

Data Security Tracks at the Government Summit:

Using Data-Centric Security to Protect Big Data, Hadoop, Cloud, Mobile and IoT initiatives
HPE Security – Data Security, has been the leader in the development of Format-Preserving Encryption (FPE), enabling hundreds of major global enterprises to protect data across the enterprise while preserving business processes and key big data, cloud, mobile and IoT initiatives. With FPE technology becoming a NIST standard, this technology is now available to protect high-value data from Government Agencies.

Neutralizing Data Breaches and Insider Threats Through HPE SecureData
Discover how to neutralize data breaches and insider threats by protecting high value data across platforms and applications. HPE SecureData with Hyper FPE “de-identifies” sensitive data from the point of capture rendering it useless to attackers, while maintaining its usability and referential integrity for data processes, applications, services and new initiatives.

Protecting data-at-rest across the Government
Protecting data-at-rest is so important. Learn about the “perform storm”, what analysts have concluded, and discuss how HPE Enterprise Secure Key Manager (ESKM) helps to protect data, eliminate risk, and reduce your operational and capital costs.

Still not convinced you need to attend? See HPE Security’s blog, “Top 10 reasons you should attend HPE Software Government Summit.” If you are ready to learn more about data-centric security for Government agencies, register for the 7th annual HPE Software Government Summit now!

Follow us on Twitter @hpe_voltage or search “#HPEGovSummit”.

The post Data Security at HPE Government Summit appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/government/data-security-hpe-government-summit/feed/ 0
Cyberthreat Defense Report Outlines Security Challenges https://www.voltage.com/cybersecurity/cyberthreat-defense-report-outlines-security-challenges/ https://www.voltage.com/cybersecurity/cyberthreat-defense-report-outlines-security-challenges/#respond Thu, 09 Mar 2017 20:51:50 +0000 https://www.voltage.com/?p=16506 Those of us who work in IT Security know cyber threats are on the rise, so much so that it feels like we are under siege. Breach, hacker, ransomware, and State-sponsored attackers are all buzz words that can give a CISO chills.  Sure, big data breaches draw big headlines, but is perception really a reality? […]

The post Cyberthreat Defense Report Outlines Security Challenges appeared first on HPE Security - Data Security.

]]>
Those of us who work in IT Security know cyber threats are on the rise, so much so that it feels like we are under siege. Breach, hacker, ransomware, and State-sponsored attackers are all buzz words that can give a CISO chills.  Sure, big data breaches draw big headlines, but is perception really a reality? Now we have hard proof.

CyberEdge Group research firm recently announced the publication of its fourth annual Cyberthreat Defense Report (CDR). The Cyberthreat Defense Report is a comprehensive review of the perceptions of 1,100 IT security professionals representing 15 countries and 19 industries. This report provides information security decision makers and practitioners with practical, unbiased insight into how enterprises and government agencies defend their networks against today’s complex cyberthreat landscape.

Cyberthreat Defense ReportThis study provides a 360-degree view of organizations’ security threats, current defenses, and planned investments. Consistent with findings in CyberEdge’s prior three annual reports, the 2017 report finds that network breaches are rising and malware is more troubling than ever. The report also found that 61 percent of responding organizations were compromised by ransomware in 2016, while the percentage of organizations affected by successful cyberattacks reached an all-time high.

Key insights from this year’s report include:

Rising attacks
Nearly four in five respondents’ organizations were affected by a successful cyberattack in 2016, compared to 62% three years ago, with a full third being breached six or more times in the span of a year. Close to 60% think that it will be somewhat likely to very likely their company will suffer a successful cyberattack in 2017.  With so many reported attackers, and over half predicting future attacks, companies need adhere to best practices of data-centric security to protect their data.

Mobile devices weakest tech component
For the fourth consecutive year, mobile devices are perceived as IT security’s weakest link, closely followed by other end-user computing devices.

Patch management woes
Less than a third of respondents are confident their organization’s patch management program effectively mitigates the risk of exploit-based malware. This echoes the results of HPE Security Research Cyber Risk Report 2016, which found patches, a stop gap measure in and of itself, are only effective if end-users install and apply them.

Threats keeping CISOs up at night
Out of ten types of cyber threats, malware, phishing, and insider threats are the top three that give IT security the most headaches.

Held hostage by ransomware
Six in ten of respondents indicated that their organization was victimized by ransomware last year. Of those affected, 33 percent paid the ransom and recovered their data, 54 percent refused to pay but successfully recovered their data anyway, and 13 percent refused to pay and subsequently lost their data.

Microsoft leaving the door open?
With two-thirds of respondents not fully satisfied with Microsoft’s security measures for Office 365, the door remains open for third-party security solutions. (See our recent blog on our email encryption solution that is a natural complement to Office 365, enhancing its security, privacy, and usability capabilities.)

Security budgets still rising.
Despite stabilizing as a percentage of organizations’ overall IT budgets, nearly three-quarters of IT security budgets are expected to rise (again) in 2017. This is indeed good news, as without adequate funding, no IT security team stands a chance of keeping pace with the ever growing and changing cyberthreats it is likely to face. More worrisome, though, is the vertical industry that’s not keeping pace: government, with both the lowest rate of respondents expecting a budget increase (46.8%) and the highest rate expecting a budget decrease (10.9%).

The Cyberthreat Defense Report provides the most geographically comprehensive view of IT security perceptions in our industry. Be sure to download your complimentary copy now!

The post Cyberthreat Defense Report Outlines Security Challenges appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/cybersecurity/cyberthreat-defense-report-outlines-security-challenges/feed/ 0
Gain Email “Peace of Mind in the Cloud” https://www.voltage.com/email/gain-email-peace-mind-cloud/ https://www.voltage.com/email/gain-email-peace-mind-cloud/#respond Thu, 02 Mar 2017 21:27:15 +0000 https://www.voltage.com/?p=16467 Believe it or not, email still leads the way for communications in enterprise companies. Email is where much of our business takes place and is still the collaboration platform of choice. The average user sends a median of 30 emails and receives a median of 100 and spends more than 150 minutes per day doing […]

The post Gain Email “Peace of Mind in the Cloud” appeared first on HPE Security - Data Security.

]]>
Believe it or not, email still leads the way for communications in enterprise companies. Email is where much of our business takes place and is still the collaboration platform of choice. The average user sends a median of 30 emails and receives a median of 100 and spends more than 150 minutes per day doing work in email. That adds up to an average of 2.5 hours a day working in email.

However, email remains one of the most vulnerable systems in IT. From Oct. 2013 through Feb. 2016, law enforcement received reports from more than 17,000 victims of business email scams, exposing companies to losses estimated in $2.3 billion. And since 2015, the FBI has seen a 270% increase in victims and losses. This means that email infrastructure is in constant need of protection. Failure to protect email communications can put companies at risk for loss of data, trade secrets, and reputation.

Enter the cloud

On top of that, corporate IT systems are passing through one of the biggest changes in years. Cloud-based Software-as-a-Service (SaaS) platforms are taking the place of on-premises servers. Among the new platforms, none is more important and more prevalent than Microsoft® Office 365. Office 365 has shown itself to be a highly capable bundle of email, scheduling, and collaboration tools, based on Microsoft servers “in the cloud.” Users can tailor it to their specific requirements. All of this can mitigate the upfront costs of deploying new or upgraded messaging systems, reduce ongoing costs by minimizing IT labor requirements, and cut out future upgrade and migration challenges. These are all good things, however, with this increased convenience comes increased concerns about combining vulnerable email systems with cloud-based platforms, however secure they may be.

Using the cloud for email adds a new set of security concerns

Using cloud-based systems can provide a wealth of resources to organizations large and small. However it is important for any businesses using cloud-based services to understand the serious challenges, especially in terms of security and handling sensitive data. IT Security professionals should ask questions of any Office 365 deployment on the security and encryption of emails.

What can be done about email security concerns with cloud? 

If your company is moving or has already moved to the cloud, our new “Peace of Mind in the Cloud” eBook discusses the security issues associated with email and cloud-based office applications. This ebook educates on the security challenges with vulnerable email infrastructure, how the cloud adds a new layer of challenges to privacy and security, and how HPE SecureMail, our email encryption solution, is a natural complement to Office 365, enhancing its security, privacy, and usability capabilities.

HPE SecureMail enables end-to-end data protection, full privacy, and confidentiality on Office 365. Only your organization has access to the decrypted data—not Microsoft or even Hewlett Packard Enterprise. By encrypting emails when generated on desktop, mobile or web, HPE SecureMail eliminates privacy and security concerns, because all content is encrypted end-to-end before reaching the Office 365 cloud.

The ebook also presents two customer use cases, one on a top global credit card company, with operations spread across several continents. They were very excited about the possibilities collaboration in the cloud could offer their geographically dispersed employees. But, they were also concerned about the privacy and security of their internal and external e-mails and files stored in the cloud. Using HPE SecureMail gave them “peace of mind in the cloud” by encrypting all sensitive emails and files before they reached the cloud. This solution is now used by tens of thousands of employees and millions of external recipients.

Find out more about the power of our email encryption solution

Find out why HPE SecureMail is a natural fit for companies transitioning to Office 365, enabling a wide variety of use cases and functionality in our new ebook, “Peace of Mind in the Cloud.”

The post Gain Email “Peace of Mind in the Cloud” appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/email/gain-email-peace-mind-cloud/feed/ 0
Data Security Key for IoT https://www.voltage.com/iot/data-security-key-iot/ https://www.voltage.com/iot/data-security-key-iot/#respond Thu, 23 Feb 2017 23:13:04 +0000 https://www.voltage.com/?p=16450 In case you haven’t been paying attention, Internet of Things (IoT) devices are everywhere, in our appliances at home, in the cars we drive, and the buildings were we work. Industries that use IoT connected devices are very diverse: manufacturing, energy, telco, healthcare and transportation, to name just a few. And the numbers of devices […]

The post Data Security Key for IoT appeared first on HPE Security - Data Security.

]]>
In case you haven’t been paying attention, Internet of Things (IoT) devices are everywhere, in our appliances at home, in the cars we drive, and the buildings were we work. Industries that use IoT connected devices are very diverse: manufacturing, energy, telco, healthcare and transportation, to name just a few. And the numbers of devices keep growing. Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020.  And predictably, in 2016, we saw the first IoT breaches, either on the device itself, or a theft of data.

All of this connectivity means more data, gathered from more places, than ever before in history. Internet of Things has amazing potential. It can transform how and when decisions are made throughout business and our daily lives—but only if that data can be processed, analyzed, and put to use effectively and securely, states the Database Trend &  Applications (DBTA) Internet of Things Market Survey.

To shed light on the current state of IoT adoption and maturity, Unisphere Research and DBTA joined forces with Radiant Advisors to launch an IoT market research study with the support of sponsorships from MapR and HPE Security—Data Security. To shed light on the current state of IoT adoption and maturity, the researchers surveyed current and potential users across North America, to find out what challenges they faced and the success factors that are emerging in the market.

Why use IoT?

So with so many devices touching so many aspects of our lives, are business fully utilizing the power of IoT? The survey reveals that many companies are only in early phases of adoption of IoT. The primary use cases for IoT involve data analytics, and data science to invent new business models and capitalize on insights into customers and products, states the study. So while IoT and connected devices can talk to each other, and connect to the internet, IoT is really about the data it collects and how businesses can take advantage of this treasure trove of data. Although the study did not detail the types of data being collected from such a wide variety of sensors and devices, ultimately, data that identifies an individual will be collected, whether it be a VIN number from a connected car, or healthcare information from a medical device. Therefore, the study points out, data privacy and security challenges should be addressed early in IoT program design and development.

The top three technologies that buyer-side respondents plan to add, according to the survey, are related to properly supporting data science with IoT initiatives: data analytics or data science platforms (48%), cloud-based big data platforms or services for data acquisition (40%), and data security, encryption and masking (33%). Data security encompasses secure data capture and transport for safely using IoT data—as well as recognition of the potential for secure analytics, states the study.

The top three leading factors that most impact IoT technology decisions for buyer-side respondents are total cost of ownership (31%) followed by data privacy and regulatory compliance concerns (25%), and data security and governance capabilities or adherence at 15%. This demonstrates an awareness of the importance of data privacy and security for handling IoT data.

Unsurprisingly, the survey shows that companies are focused on leveraging advanced analytics and data science in ways that lead to deeper insights about their processes, customers and products, while establishing and reinforcing methods for data privacy and secure analytics.

Obstacles to IoT initiatives

Still, 33% of companies surveyed are having trouble understanding value of using IoT devices, and 24% can’t justify the return on investment, according to the survey. Data privacy and regulatory compliance is the next most significant challenge, with 12% of respondents.

When asked about the role of data security specifically, 78% of buyer-side respondents indicate that data security (or lack thereof) will impact their progress with IoT. The fact that over three-quarters of responders are so concerned about not having proper data security in place that it is inhibiting their adoption of this game-changing technology, is unfortunate. IoT manufactures that build security in to their devices, and IoT users that use the best practice of data-centric security will be the real winners in the rush to utilize IoT.

Conclusion

The IoT Market Survey concludes that it is important to understand the role of data privacy and security and incorporate security into the design and development process. Failure to take into account data privacy and security at the start of an IoT project will likely require retrofitting and/or reassessment of technology decisions, warns the survey. In either case, the associated costs and setbacks will hamper IoT rollout and business planning.

More information:

The post Data Security Key for IoT appeared first on HPE Security - Data Security.

]]>
https://www.voltage.com/iot/data-security-key-iot/feed/ 0